A Trend Micro Whitepaper I May 2016 Moving Beyond Prevention: Proactive Security with Integrity Monitoring Detecting unauthorized changes can be a daunting task—but not doing so may allow a breach to go undetected or you to be out of compliance with key regulations like PCI, HIPAA, and others. With Trend Micro Deep Security’s system security capabilities like integrity monitoring, organizations can detect and alert on malicious changes in real-time, giving increased visibility and security. Version: 1.0 »
10
Embed
Moving Beyond Prevention: Proactive Security with ...cstor.com/wp-content/uploads/2016/10/Trend-Micro_Moving-Beyond... · Moving Beyond Prevention: Proactive Security with In tegrity
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
ATrendMicroWhitepaperIMay2016
Moving Beyond Prevention: Proactive Security with Integrity Monitoring
With these customizable templates, administrators can build integrity monitoring rules to best fit
the need of the organization.
Page 5 of 10 | Trend Micro Whitepaper Moving Beyond Prevention: Proactive Security with Integrity Monitoring
WHAT KIND OF MALICOUS ACTIVITY CAN DEEP SECURITY DETECT?
There are many TTPs that have been identified and, depending on the system, may be important
to monitor. That’s why Deep Security’s Integrity Monitoring rules can be used to monitor for a wide
range of things, including:
• Autorun programs being installed
• Shrinking of log files
• Host file being modified
• Stopping of Anti-Malware
• Installing services
• Network drivers being installed
• Dropping files in the Windows & Win\System32 directory
• Tampering with Web server files and/or directories
• Exfil data
• File permission change (but no file change)
With such broad coverage, it is an ideal solution for proactive security requirements, including
those highlighted in sections 6, 10, 11, & 12 of PCI-DSS 3.2.
Below are some examples of how Integrity Monitoring, as a part of Deep Security’s system
security package, can help monitor and alert on important changes in your environment that may
be indicators of compromise (IOCs).
Detecting a Website Defacement
Keeping an eye on changes to files such as the index.html or index.php is a very good way
to quickly figure out you've been hacked, and
if monitoring for it, can enable a rapid reaction to fix the problem and reduce exposure time.
Depending of the version of Web server,
monitoring changes to the .htaccess file is also important. A .htaccess (hypertext access) file
is the common name of a directory-level
configuration file which allows decentralized management of Web server configuration.
Attackers use the .htaccess file to
hide malware, backdoors, injecting content and for many other purposes.
Detecting Web Shells
A Web shell is a script/code that runs on a system and can give an attacker remote access to functions on that server. Web shells can be written in any language that a server supports, with
the the most common being PHP and .NET languages. These shells can be extremely small,
needing only a single line of code or can be full featured with thousands of lines.
Page 6 of 10 | Trend Micro Whitepaper Moving Beyond Prevention: Proactive Security with Integrity Monitoring
Web shells can be installed on a Web server through a compromise such as SQL injection,
Remote File Inclusion (RFI), an un-validated file upload feature, or through a valid user’s stolen credentials. Once that happens they can gain shell-level access to the host operating system.
To avoid detection by firewalls or antivirus technologies, the attacker may employ evasion
techniques such as code obfuscation and encryption. This is where Integrity Monitoring can be extremely useful, as it will notify of all changes to the system and therefore these evasion
techniques will not be successful.
Detecting Log File Shrinkage
The expectation that a log file will only grow in size and not shrink
is considered to be normal. So detecting such a change is important, as it is a potential IOC. This event may be an attacker
trying to cover his\her tracks. Removing log entries related to the
attack will make it harder for system admins or forensic
investigators track down how the breach happened. It may even help to hide further penetration into the organization reducing the
likelihood of being found.
Detecting Lateral Movement
Lateral movement—such as pivoting on the compromised internal
network— is an important technique for attackers. A compromised system may be the only entry point to the network. Pivoting allows
the attacker to move around unobstructed, bridging the network
through this intermediate system. This allows them to gain access
to systems they may not otherwise be able to reach.
Pivoting requires ports to be open and certain services to be
running. Integrity Monitoring can be configured to alert if any of these are newly added to a system. For example, a Meterpreter
session listening on port 4444 will trigger an alert. Invoking NetCat
as a listener will do the same.
HOW IT WORKS?
Deep Security Integrity Monitoring is a feature that detects changes to select system areas by comparing the current condition of these areas with a hash-based baseline.
These hash-based baselines are created by performing a baseline scan of the areas on the computer specified in the assigned rule. Periodic rescanning of those areas then looks for
changes.
Page 7 of 10 | Trend Micro Whitepaper Moving Beyond Prevention: Proactive Security with Integrity Monitoring
This comparison can be triggered using the follow methods:
• Manually using On-Demand scan trigger -
With this option an administrator can initiate a scan
by manually clicking the “Scan for Integrity” button
or by scheduling a scan in the Deep Security
Manager console.
• Automatically using the Real-Time trigger -
This will be triggered with a change is detected on
the monitored entity.
Integrity Monitoring Rules
Integrity Monitoring rules allow the Deep Security Agents to scan for and detect changes. These
changes are logged as events in the Deep Security Manager and can be configured to generate alerts. Integrity Monitoring rules can be assigned directly to systems or can be made part of a
policy, which can then be applied to multiple systems.
Integrity Monitoring rules specify which
entities (files, registry keys, services, etc) to
monitor for changes. Deep Security scans all
the entities specified by the rules assigned to a system and creates a baseline against
which to compare future scans of the system.
If future scans do not match the baseline, the Deep Security Manager will log an
Integrity Monitoring event and trigger an alert
(if so configured).
INTERGRITY MONITORING DEEP DIVE – WEB SHELLS
As was stated previously, a Web shell is a script/code that runs on a system
and gives an attacker remote access to functions of the server. They can be
installed on a server through a number of methods using techniques like SQL injection, Remote File Inclusion, an unrestricted file upload feature or through a
valid user’s stolen credentials.
In this Deep Dive we will configure Deep Security’s Integrity Monitoring to alert
if a specific change is made to a folder on our Web server. In this scenario the
business logic of our application only allows for the Microsoft Word file type
only. If any other file type exists in the uploads folder, it is a strong indicator of an attack which could be a Web shell. We will also monitor for changes to the
listening ports on the server, as this another strong indicator.
Configuring Deep Security
We first configure and install the Deep Security Agent (DSA) and enable Integrity Monitoring. We
then “Scan for Recommendations” and choose the option to automatically apply recommended rules.
Note: In this Deep Dive,
rules are being configured on an individual system. Multiple systems can be
configured by first configuring a policy, and then applying that policy to
each system.
Page 8 of 10 | Trend Micro Whitepaper Moving Beyond Prevention: Proactive Security with Integrity Monitoring
At this point a base set of Integrity Monitoring rules have been applied to the Web server. These
recommended rules have already been configured to notify if changes are detected. Additional customization of the rules can still be performed and in some cases may be required because of
specific server and/or application requirements. In our scenario, a
new rule is required to monitor the uploads folder on our Web
server. We also modified an existing rule (Unix – Open Port Monitor) to send real time alerts if a change is made to the
listening ports on the server.
To create a new rule, we open the Integrity Monitoring tab in the
Deep Security Manager interface, click Assign/Unassign, then
click New and then New Integrity Monitoring Rule. On the General tab we can set the name and choose the Severity. On the Content
tab we need to choose a template. In our example we select File
and then set the Base Directory we want monitor. We can also
include and exclude files to monitor. In our example the business logic of our application only allows for Microsoft Word format only.
Therefore, we add *.doc to the “Exclude Files with Names Like”
box. This rule will then trigger for any file added to the uploads folder that is not a Microsoft Word document. We then click the
options tab and enable alerting and real-time monitoring. We click
ok and assign the rule to the server.
We then find and highlight the “Unix – Open Port Monitor” rule and
click properties. On the options tab we enable alerting.
Now that we have all the rules created and modified we need to build a
baseline. To do that we click on Rebuild Baseline on the Integrity Monitoring
tab. Once the task is finished, our system is ready to monitor any changes to the folder.
We also need to configure an On-Demand integrity scan to check the server
for changes. We do this in the Deep Security Manager console under Schedule Tasks. We schedule the task to run daily at 12:20 pm. An On-
Demand scan is not required for listening ports as events are captured in real
time.
Note: Trend Micro Deep Security Integrity
Monitoring provides real time integrity monitoring for all Windows systems
Entities. For Linux, real time monitoring is only available for identifying
changes to running services, processes and listening ports.
Page 9 of 10 | Trend Micro Whitepaper Moving Beyond Prevention: Proactive Security with Integrity Monitoring
Exploiting the system
In our scenario, an attacker exploits a new discovered file upload vulnerability which allows
unrestricted uploads to the server. The attacker uploads a file that contains only a few lines of
code which allow direct access to the server using a command summited through the URL. This is also known as a Web shell. See Figure 2 for for further details.
The attacker returns later to execute a specially crafted URL that gives command line access to the server. They then start executing commands against the server as part of the reconnaissance
phase of the attack.
In Deep Security, the addition of the file to the Web server triggers our Integrity Monitoring rule, and an alert is displayed after our daily scan has completed. At this point, an organization would
be able to take action to stop the attack and hopefully stop it from spreading. If the attack includes
changes to running ports, Deep Security’s real-time Integrity Monitoring picks up this change, and alerts administrators stop the attack. They can then fix the vulnerability on the server, which
prevents the attack from happening again.
Figure2:DetailsoftheWebShellattack
Note: In our Deep Dive example, the only control that we are illustrating is Integrity Monitoring.
We are not using any other Deep Security capabilities, which could be used to provide real-time
protection for the servers. These include additional capabilities from the Anti-malware, Network,
and System Security packages.
Page 10 of 10 | Trend Micro Whitepaper Moving Beyond Prevention: Proactive Security with Integrity Monitoring
CONCLUSION
As organizations search for better ways to protect their environments, Trend Micro Deep Security
can play a significant role in addressing many server security requirements. Delivered from the
market leader in server security2, Deep Security can address server security across physical, virtual, cloud & hybrid environments. Available as software, service, or via the AWS and Azure
marketplaces, it can help organizations streamline the purchasing and implementation of
essential security elements required to protect their environment.
Deep Security includes a comprehensive set of host-based security controls, including:
• Network security enabling virtual patching through Intrusion Detection & Prevention (IDS/IPS) and a host-based firewall
• Anti-malware with Web reputation to protect vulnerable systems
from the latest in threats
• System security through integrity monitoring & log inspection,
enabling the discovery of unplanned or malicious changes to
registry and key system files, as well as discovering anomalies in critical log files.
As discussed in this paper, as a part of the system security package, Deep Security’s Integrity
Monitoring goes beyond typical file integrity monitoring, enabling organizations to:
• Identify suspicious changes on servers, including flagging things like registry settings,
system folders, and application files that shouldn’t change—when they do. This includes
examples like detecting Web site defacement, Web shells, log file shrinkage, and lateral movement.
• Accelerate compliance with key frameworks like the SANS/CIS Critical Security Controls,
as well as key regulations like PCI-DSS and HIPAA. For example, PCI-DSS 3.2
specifically calls out file integrity monitoring in sections 6, 10, 11, and 12. Beyond integrity monitoring, Deep Security also helps by delivering multiple security controls, central
control, and easy reporting in a single product.
Find out more about Deep Security on our Web site: www.trendmicro.com/hybridcloud.
TrendMicroIncorporated,agloballeaderinsecuritysoftware,strivestomaketheworld safe for exchanging digital information. Our innovative solutions forconsumers,businessesandgovernmentsprovidelayeredcontentsecuritytoprotectinformationonmobiledevices,endpoints,gateways,serversandthecloud.Allofour solutions are powered by cloud-based global threat intelligence, the TrendMicro™SmartProtectionNetwork™,andaresupportedbyover1,200threatexpertsaroundtheglobe.Formoreinformation,visitwww.trendmicro.com.
All other company and/or product names may be trademarks or registered trademarks of their owners. Information contained in this document is subject to change without notice. [WP01_Beyond_Prevention_Proactive_Security_201605US]